LayerZero Post Mortem Shows Lazarus
LayerZero Post Mortem Shows Lazarus Group's $290M Heist
A recent LayerZero post mortem reveals that North Korea's Lazarus Group executed a $290M theft from KelpDAO's rsETH bridge by compromising two LayerZero RPC nodes.
Attack Vector and Methodology
The attacker hacked the nodes, deployed malware to feed false transaction data exclusively to LayerZero's verifier while maintaining honest responses to monitoring systems, then DDoS'd legitimate RPC endpoints to force the verifier to rely on the poisoned nodes.
Key Steps in the Attack
- Compromising two LayerZero RPC nodes that feed data to the protocol's verifier
- Deploying malware to feed false transaction data
- DDoS'ing legitimate RPC endpoints
LayerZero's Response and Contagion Limitation
LayerZero Labs confirmed KelpDAO used a 1-of-1 DVN (Decentralized Verifier Network) setup—a single point of failure the protocol had repeatedly warned against—limiting contagion to KelpDAO's bridge with no reported impact on other assets.
Security Implications
Security researchers noted the attack vector raises unanswered questions about how the attacker obtained the RPC node list and achieved root-level access to production infrastructure, suggesting either a prior unreported LayerZero compromise, a breached deployment pipeline, or insider access rather than a Kelp-side misconfiguration.
Insights from the LayerZero Post Mortem
The LayerZero post mortem shows that the attacker stole $290M in unbacked rsETH before the malware self-destructed and deleted all traces.
Key Takeaways
- The Lazarus Group executed a $290M theft from KelpDAO's rsETH bridge
- The attack was made possible by compromising two LayerZero RPC nodes
- LayerZero's 1-of-1 DVN setup limited contagion to KelpDAO's bridge
- The attack raises concerns about the security of DeFi protocols
Frequently Asked Questions
What was the extent of the damage from the LayerZero attack?
The attack resulted in a $290M theft from KelpDAO's rsETH bridge, with no reported impact on other assets.
How did the attacker gain access to the LayerZero RPC nodes?
The attacker's method of obtaining the RPC node list and achieving root-level access to production infrastructure remains unclear, with possibilities including a prior unreported compromise, a breached deployment pipeline, or insider access.
